Category: GDPR News

Impact of the EU General Data Protection Regulation

The definition of personal data will become broader, bringing more data into the regulated perimeterPreviously, personal data has been defined as data which relates to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. The Regulation expands the definition of personal data such that data privacy will encompass other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity. Under the Regulation, if inaccurate personal data is held and has been shared with another organisation, the other organisation must be told about the inaccuracy so it can correct its own records. If a business is not in the EU, they will still have to comply with the RegulationNon-EU controllers and processors who deal with EU subjects’ personal data must comply with the new Regulation. Although enforcing regulation beyond EU borders will be a challenge, those providing products or services to EU customers, or processing their data, will face sanction under the Regulation if an incident is reported. Children’s dataThe Regulation will bring in special protection for children’s personal data. Introduction of data breach notification regulations and changes in liability will have a profound impact on the supply chainThere is no obligation to notify authorities of data breaches under the current Directive, although there are some sector-specific requirements, such as those applicable to communications providers and ISPs under the E-Privacy Directive. Not all breaches will have to be notified to the regulator, only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach and, where the breach puts individuals’ data at risk, the data subjects must also be informed. The Regulation clearly calls for more effective data breach investigation, categorisation, containment and response infrastructure. Additional information will also need to be provided to people making requests, such as data retention periods and the right to have inaccurate data corrected. Introduction of mandatory privacy risk impact assessmentsA privacy impact assessment is a tool which can help identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy. Privacy by designThe current EU Directive does not include any clauses related to privacy by design but under the new Regulation, data controllers will have to implement appropriate measures to ensure that processing protects the rights of the data subject, that only the minimum personal data will be processed, and that the data is not disclosed more widely than necessary. The international transfer of dataSince the Regulation will also be applicable to processors, organisations should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers will need to appoint representatives in the EU. The separate EU-U.S. Privacy Shield agreement also contains strict penalties for those in breach the privacy of European citizens and requires parallel consideration. Data portabilityThe right to data portability is new in the Regulation. Appointment of a Data Protection OfficerSome organisations will need to appoint or designate a DPO to take responsibility for data protection compliance.

GDPR is a good thing

GDPR solve two problems: * Businesses which collect whatever data they can put their hands on, and sell it to the data brokers. GDPR substantially changes it, allowing people to control their data. “You’d like to keep this data from this forever? Certainly! Now if your business unit is committing to GDPR responsibility for maintaining this data, we’ll notify the DPO and … oh, you want to delete it? Done. Cheers!”. What do you mean with “Auditable way of wiping data”? Just that there will be a log that the data was wiped, but the actual data is gone forever? In the event that you have to restore data from a backup for operational purposes, you need to cross reference it to the record of deletions that occurred since the backup was created to ensure that any such data is either not restored, or is immediately deleted again. Which company do you work for if you don’t mind me asking? ). Can you explain in more detail to how the GDPR applies to unstructured forms? Would those be forms specifically for inputing personal data, or any free text at all? Any personal data is subject, whether it is contained in Word documents, PowerPoints, spreadsheets, text files, database dumps, PST files, CSV files, etc, etc. Surely you’re not expect to treat any possible data you receive as personal, just in case? If you’re providing a consumer storage service, and users are uploading their own data for personal use, this is outside the remit of GDPR. If you’re providing a storage service to a business that handles personal data, your a data processor, not a data controller. If you’re the data controller, you need a classification technology that can identify personal data in those documents. GDPR the latter, is a general law… In our case it will likely mean that we have a defined documented procedure in place to remove the customers data within the specified period. It’s not just that you can no longer hold backups for an extended period as a form of pseudo archive, but that for those backups you do keep for operational restore purposes, you have to ensure that data that was deleted or redacted under the GDPR right to erase is not subsequently restored during a routine recovery, or is immediately deleted / redacted after the data set is recovered. I would not complete the transaction if that data was requested without very good reasons, and have already point-blank refused to take up ‘incentives’ for superfluous data. “Who does the GDPR affect? The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” “In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.” We find there is a core tension between GDPR’s principle of data minimization, and SaaS practice of data driven innovation I am an EU citizen, but live in a non-EU country. Does the GDPR regulation apply to data about me? I’m still thinking how I’m going to remove all that sensitive data from my old backups.

An Introduction to the GDPR

Designed to provide a common legal framework for data protection law and to protect the data assets and privacy of individuals within the EU, the GDPR represents the biggest shake-up of data protection regulation in more than twenty years. What is the GDPR? The General Data Protection Regulation 2016/679) is a new regulation which is intended to strengthen and unify data protection law within the European Union. Through a range of far-reaching provisions, the European Commission aims to give data subjects across Europe increased ownership and control over their personal data assets – ensuring the right to a private life – and to provide a simplified “One-stop shop” regulatory environment for the acquisition, the use and the storage of the personal data of European citizens. The GDPR will bring data protection regulation into the 21st century; designed with today’s technology in mind, it will replace the outdated Directive 95/46/EC, which dates back to 1995. Who Will Be Affected by the GDPR? The GDPR will apply to any business or entity, regardless of their geographical location, that holds or processes the personal data of EU citizens. “All data formats will be regulated by the GDPR – audio, video, photographs, IP addresses, device ID’s and cookies – are all covered by the regulation.” “Personal data” is defined as any data which may be used to identify an individual, either directly or indirectly, or as part of a collection of data spread across multiple systems. The GDPR has a broad definition of personal data and includes genetic, biometric, cultural, political, economic, social, mental and religious information. The requirement to appoint a Data Protection Officer Increased sanctions: the GDPR gives regulators the right to impose substantial fines for non-compliance – up to 4% of global turnover. The GDPR was published in the EU Official Journal on May 4th, 2016 and entered into force 20 days later on the 24th May. The regulation will become applicable on May 25th 2018, which gives all affected entities less than two years to ensure that their data storage and processing operations meet the new compliance requirements. An enterprise-wide review of all data acquisition, storage and processing practice is a vital first step in understanding how and where the GDPR will affect the business. Organisations should consider how they will locate and access all of the data that they hold – all held data that can be used to identify an individual, including voice calls and video recordings, must be easily located and distinguishable from the data of other individuals. A proactive approach to risk management is a common theme across many emerging regulations, such as the GDPR and MiFID II. Increasingly, businesses are being expected to demonstrate to regulators that they have taken all reasonable steps to mitigate exposure to risk, whilst customers and data subjects demand the best possible security for their valuable data assets. For all entities facing the GDPR – and other similar regulations – this inevitably means tackling some considerable challenges ahead. But, the technology available to businesses to address these issues has never been more capable and by taking advantage of advanced data security coupled with best-of-breed search and analysis technologies, these are challenges that can not only be overcome, but turned into exciting new opportunities. Through the aligning of modernised data protection law across Europe, in tandem with increased transparency and greater rights for individuals, the GDPR will enable businesses to capitalise on these opportunities as they take a step closer to a Single Digital Market and reap the benefits of a boost in consumer confidence.

CIOs Discuss Protecting Privacy and the GDPR

Increasingly in these forums and as I talk with CIOs and other business leaders, the conversation comes back to protecting privacy. Recently, in light of Data Privacy Day, Sharon Pitt, CIO of the Binghamton University, started off an interesting #CIOChat by saying how really important it is to think about safeguarding personal data. Peter Salvitti, CTO of Boston College, agreed, but then asked whether one day a year alone is really enough to safeguard data and maintain privacy awareness. Echoing Protegrity’s CEO Suni Munshani’s sentiments, Stephen diFilipo, CIO of the Institute for Transformational Learning, responded to Pitt and Salvitti by saying that, “Every day should be data privacy day.” Isaac Sacolick, former Global CIO for Greenwich Associates, said in turn that, “Organizations that define proper use of data drive greater business benefits and earn customer trust.” At this point Theresa Rowe, CIO of the University of Oakland, added to the discussion by asking everyone about new sources of data saying, “We need to help people understand how beacons and other sensor technologies may end up compromise privacy.” Salvitti suggested that we also should not forget the metadata created: “We need to remember that everything we are doing is being tracked.” Individuals’ awareness of this kind of digital surveillance in light of their Right to Privacy is at the heart of the EU’s General Data Protection Regulation. When asked about the Regulation, Pascal Viginier, CIO of the European telecom company Orange, said that for them it “Is a top initiative and a real opportunity for building customer trust.” He went onto to say that data privacy and opt-in are the most respectful ways to support customer privacy and freedom and begged the question, “How to make it the main stream in all regions?”. “On the flipside,” said David Chou, Chief Information and Digital Officer at Children’s Mercy Hospital, “People are willing to give up some privacy for a great experience.” This lead to a discussion on what marketers at firms like Nordstrom or services providers like Uber are doing with data and the steps they will take to meet customers’ expectations that personal information be protected. Ed Featherston, VP Principal Architect at Cloud Technology Partners, said at this point that privacy is, “a huge challenge in today’s world, a delicate balance of privacy vs. convenience, walking tightrope over shark tank.” He added that “Privacy is the rules, security is the mechanism to and enforce the rules.” I could not agree more with his contextualization of security and privacy, especially with respect to the GDPR. Delivering on the promise? Larry Larmeu, Managing Director L2 Digital, said that the GDPR is hugely important because most technology is not built for consumption by IT. Larmeu argues here that as technology always has a business purpose, privacy should always be considered during implementation. Brian Katz warned that “Only those that study GDPR will be ready,” complaining that it “Shouldn’t have to be just EU citizens” whose privacy is respected. Clearly data privacy needs more attention than one day a year; it needs to be part of an organization’s DNA and culture. I agree that more education is needed for brands to meet their custodial obligations to privacy. It is important that IT organizations focus their attention upon protecting data itself, rather than just protecting infrastructure; especially under the terms of the GDPR. If this is important to you, here is a nice summary of how to overcome GDPR challenges. Extending COBIT 5 data security and governance guidance.

GDPR Compliance

The GDPR imposes specific requirements and limitations on data transfers from the EU to countries outside the EU. Autotask currently offers a Data Processing Addendum containing standard contractual clauses allowing such transfers. We anticipate continuing to facilitate data transfers via standard contractual clauses after the implementation of the GDPR and are evaluating other legal bases for data transfer to ensure that our business partners and customers can continue to seamlessly use Autotask products after May 2018. Autotask is reviewing its data collection practices to determine whether any changes are necessary or appropriate prior to the GDPR’s effective date. Many of our customers use Autotask products to collect, process, and store PII. In these situations, Autotask functions as the data “Processor.” Decisions on what data to collect, how long it is stored and how it is used reside with customers who act as the data “Controller.” The GDPR fundamentally changes European privacy law and requires all companies that handle “Personal data” of individuals in the EU to adopt more stringent privacy and security practices. These investments include a comprehensive company-wide review of all Autotask business relationships, products, services and data handling practices. Autotask’s compliance effort is being led by its global Privacy Team, whose members include senior executives and product specialists from key functional areas and geographic regions and who have deep knowledge of and experience with Autotask’s products and data handling practices. Creation of data inventories and data flow maps for Autotask products; Review and update of Autotask contracts and licenses; Review and update of Autotask’s corporate and product-level privacy policies; Review and update of Autotask products and services; and. Review and update of Autotask’s data processing addendum for data transfers outside the EU. Over the next several months, we will be reaching out to our resellers and customers with updates on our GDPR compliance efforts and with important information on any changes to Autotask contracts, licenses, products, services and business practices that may affect sale and use of our products and services. The GDPR imposes significant obligations on all entities that process personal data, including Autotask resellers and customers who have their own privacy, security and data processing obligations. Does the GDPR apply to my organization? The GDPR applies to organizations that process personal data in the EU, as well as to organizations outside the EU that process personal data of natural persons located in the EU in certain specific situations. Do my data handling practices respect the rights of data subjects? The GDPR places a high value on data subject rights, including but not limited to the rights to notice, consent, transparency, portability, and erasure. Does my organization have data breach notification processes and procedures? Article 33 of the GDPR introduces new data breach notification requirements that include a requirement to notify data protection authorities of data breaches “Without undue delay and, where feasible, within 72 hours of becoming aware of the breach.” Direct notification of data subjects also is required in some circumstances, as set forth in Article 34. Does my organization need a data protection officer? The GDPR requires organizations to appoint a DPO in certain circumstances set forth in GDPR Article 37. Does my organization transfer data outside the EU? As in the case of the original 1995 Data Protection Directive, transfers of data outside the EU are governed by special rules restricting transfers to countries that lack adequate data protections unless certain requirements are met.

GDPR: The Overview

The General Data Protection Regulation was ratified in mid 2016 and immediately became law. Harmonisation across and beyond the EU. There will be one single set of rules across Europe which will make it simpler and cheaper for organisations to do business across the EU. In practical terms that means we’ll all be applying the same rules in determining what personal data is, who the data processors are, who the data controllers are, and so on. If your organisation is a public authority, or its core activities involve “Regular and systematic monitoring of data subjects on a large scale”, or it conducts large-scale processing of “Special categories of personal data”, then it needs to appoint a Data Protection Officer who has “Expert knowledge of data protection law and practices”, the level of which “Should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed.” There is also an increased emphasis on record keeping for controllers, this all being designed to help demonstrate and meet compliance with the GDPR and improve the capabilities of organisations to manage privacy and data effectively. The GDPR defines profiling as any automated processing of personal data to determine certain criteria about a person. Legitimate interest is one of the grounds, like consent, that an organisation can use in order to process data and satisfy the principle that data has been fairly and lawfully processed. The GDPR specifically recognises that the processing of data for “Direct marketing purposes” can be considered as a legitimate interest. The GDPR actually says that processing is lawful if “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” Unfortunately, “Direct Marketing” has not been defined by GDPR and requires clarification. In the event of a personal data breach data controllers must now notify the appropriate supervisory authority “Without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “Reasoned justification” for the delay. Notice is not required if “The personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.” It’s not yet clear what this means in practical terms but if the controller determines that the personal data breach “Is likely to result in a high risk to the rights and freedoms of individuals,” it must, subject to a few exceptions, also communicate information regarding the personal data breach to the affected data subjects “Without undue delay.” Individuals will have more information on how their data is processed and this information needs to be made available in a clear and understandable way. Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access. Clearly focussed on helping drive competition between service providers, this part of the GDPR seeks to drive automated transfers of data between services which primarily process customers automatically – so for example these could include utilities, banks, telecoms and ISP’s. Data controllers must inform data subjects of the period for which their data will be retained. Should the data subject subsequently wish to have their data removed and the data is no longer required for the reasons for which it was collected then it must be erased.

Information Security Buzz

“In a digital age, data privacy is a basic human right. With the clock counting down to the deadline for compliance with the EU’s General Data Protection Regulation, businesses should be putting the final processes in place to provide the best, most efficient way of protecting customers’ most valuable assets – their data and identity.” If we look at the CEX data breach where the details of two million customers were compromised, the company could have faced fines in excess of more than £5.5 million under the GDPR regime. In order to move fast and survive, global businesses need rapid and secure access to data. What’s needed is a new approach that brings together those data operators responsible for managing, securing and distributing the data with those data consumers that are using it to run the business. The DataOps movement offers such an approach attempting to make data operators and consumers work together to ensure sensitive data is secured and the right data is made available to the right people. At the heart of DataOps, is the ability to intelligently mask personal data at scale. With 90% of data held as copies in test, reporting and analytics systems, dynamic data platforms will protect individuals and accelerate project delivery. “With the right approach and tools in place, it will be much easier for organisations to keep track of all sensitive information, mask it where necessary, and control who has access to data and for how long. However, businesses must act fast to ensure these processes are in place within the next six months. In a data driven world, how companies handle security and privacy issues will define the winners and losers.” “As delineated in GDPR there is a difference between website analytics and unnecessary collection of consumer data. Among other things, the valid use of session replay scripts helps website operators understand how users navigate the websites with the aim of streamlining or improving the user experience. As with any third-party code, these analytics scripts can be compromised without the website operator’s knowledge and can cause security and data privacy problems, which happened to Hotjar in December 2015. These reasons should compel companies to continuously monitor not only their own website code, but that of third parties to ensure that best practices are adhered to and that data privacy of customers are ensured.” “While the DVLA is perfectly within its rights to sell personal data to private firms at this point in time, the incoming General Data Protection Regulation has the potential to close that lucrative side-line overnight, if motorists are aware of their rights.” “From 25 May next year, companies will have to show compliance with the new regulation, one of the requirements of which is the need for informed and unambiguous consent to be in place before data can be shared with third parties.” “As a government agency, I would expect DVLA to be completely transparent about requesting that consent anew from all motorists. Failing that, drivers will of course have the right to withdraw any pre-supposed consent at any time. In either case, the agency will not be able to pass data on in the manner in which it is currently doing so.” “The first area of concerns here is the legality of recording peoples keystrokes without first informing them of the fact. Second is whether the data is protected in line with PCI standard requirements.” Many web forms collect personal and financial data from potential customers. “The collection and storage of information not submitted by a potential customer will definitely be a breach of the EU GDPR, as permission to collect, store and process the data has not been given.”

MUNICH, Germany – 22 Jun 2017: IBM today announced sweeping advances to its data governance and data science initiatives designed to help developers and analysts tap into the power of cognitive computing. Through new solutions and services, organizations will gain greater understanding and control of their data, while facilitating their ability to prepare for rising data regulations, like the European Union’s General Data Protection Regulation. As part of the moves, IBM announced new data governance solutions and tools, data science and machine learning advances, and the formation of the Open Data Governance Consortium for Apache Atlas, dedicated to advancing the open framework for data governance. As more developers harness data science and machine learning, they are able to create cognitive applications and services that lead to greater data visibility and deeper insights to make data-driven decisions. At the heart of preparing for regulation, such as GDPR, is data governance, which provides diligent and comprehensive data management practices for data integrity, security, usability, and availability. To make this easier for organizations and drive widespread adoption of data governance, IBM today is announcing the Open Data Governance Consortium for Apache Atlas. The news of the Open Data Governance Consortium for Apache Atlas follows strategic partnership IBM announced last week with Hortonworks, maker of one of the leading distributions of Hadoop, the Hortonworks Data Platform. IBM Unified Governance Software Platform – a new software platform comprising data management capabilities, including many which may be mapped to the GDPR, such as cognitive metadata harvest, lineage tracking, policy enforcement, data integration services and persona-based reporting; Information Governance Catalog Download & Go – a fast, new software download that lets clients download, install and run specific governance tools directly to their systems, quickly and easily. StoredIQ – the popular data discovery software that helps users identify the types of unstructured data residing across their organizations, has been augmented with new analytics “Cartridges,” or software modules, that people can download at no cost to begin recognizing sensitive, personal data, as well. Available for 15 European Union country-specific downloads, and their 11 languages, these cartridges are designed to help shorten the time it takes to discover personal data and better prepare for rising regulation, like GDPR. Applying Data Science and Machine Learning to Governance. Increasingly critical to data governance is the ability to analyze and distill troves of data for insights and compliance. IBM today expanded its data science and machine learning innovations across Europe, to give more global enterprises access to the tools needed to apply data intelligence as they prepare for regulatory compliance. Now, data scientists in the UK and across Europe are able to use the collaborative environment to easily and quickly team on analytic models that drive the creation of intelligent applications and generate data insights. “The potential of data science and big data can only be realized with a unified approach to governance,” said Michael Willette, Executive Director and Technical Fellow, Data and Analytics, at financial services company, USAA. “IBM’s strategy is a good approach to addressing compliance concerns while allowing our users to find and discover data for analysis and data driven decision-making.” “From the sheer volume and the continued distribution of data across evermore complex network clusters, to the rising tide of data regulations, such as GDPR, the need to organize, analyze and govern that data grows more critical every day,” said Rob Thomas, General Manager, IBM Analytics.

GDPR news: UK data watchdog opens GDPR helpline for SMBs

Designed to give people more control over their data, GDPR represents a challenge to organisations, who must bring their data protection policies into line with the regulation by the 2018 deadline. GDPR will compel organisations to secure clearer consent for using people’s information, and will introduce tougher fines for failing to protect people’s data. 03/11/2017: The Information Commissioner’s Office this week launched a helpline for SMBs preparing for the General Data Protection Regulation. The phone service, which opened on 1 November, is designed to address the specific data protection challenges facing the estimated 5.4 million SMBs operating in the UK. With staff on hand to answer questions, the service acts as an extra resource to the ICO’s existing guidance, with an emphasis on helping people with obstacles particular to their businesses. The ICO already offers firms of all sizes a 12-step guide to preparing for GDPR, which comes into effect in the UK from 25 May 2018, giving people more rights over their data, and imposing tougher fines on organisations that fail to protect it. 06/08/2017: One in five large UK businesses are completely in the dark when it comes to the application of GDPR in their organisation, according to new data. First, GDPR requires people’s consent for their data to be held and shared – consent that will have to be reaffirmed actively once the legislation comes into force in May. Second, EU residents have the right to access all the data held about them at any time and also to request their data is removed at any time. Both of these may be a challenge when so many systems are used and if the data is no longer in the full control of the initial data controller. Another issue raised by the survey is understanding data ownership – a key tenet of GDPR. Only 27% of those questioned thought personal data belonged to the customer, with 50% thinking it belongs to the organisation holding it. Chris Mayers, chief security officer at Citrix, said: “Ensuring data privacy processes and systems are in place – from privacy by design to privacy by default – requires an organisation to know exactly where their data is and who can access it. Yet many are losing sight of data, spread across multiple systems and shared with multiple partners, while also struggling to scale up to store and control the huge influx of personal customer data they receive today.” “Businesses must recognise that more centralised application and data storage environments will make it easier to meet technical compliance goals. This centralisation can be achieved in various ways, from introducing unified access controls across on-premise and cloud services with single sign-on to rolling out centrally-managed virtual workspaces. However, it is done, controlling data sprawl and recognising enterprise accountability around data privacy will be key to GDPR compliance,” he added. The EU General Data Protection Regulation comes into force across the soon-to-be 27 nation bloc 25 May 2018, by which point any organisations handling EU residents’ data must be compliant or face tough fines for breaches, of up to 4% of their annual turnover or €20 million, whichever is greater. As a result, CIF has updated its Code of Practice for CSPs to ensure they’re compliant with the stricter data protection rules, which hand EU residents more control over their personal data and require organisations holding or processing the data to be transparent about what they’re using it for. Collaboration platform Box’s VP of compliance, Crispin Maung, told IT Pro earlier this year that data protection authorities “Are struggling with figuring out what GDPR compliance really means and how they are going to measure [it]”. Retailer John Lewis and bank HSBC both criticised the UK data protection authority’s guidance so far on GDPR compliance, calling it “Woolly”.

GDPR News Center – General Data Protection Regulation

“Article 4 of the GDPR will have a big impact on marketers,” says Van Uytven, before going on to quote article 4 of GDPR which defines how user consent for personal data usage must be given, which is, “By a statement or by a clear affirmative action, [signifying] agreement to personal data relating to them being processed.” Inbound marketing is a gigantic slice of the daily routine of a digital marketer, and GDPR is about to regulate it like never before. Countdown to GDPR. Here’s a brief refresher: The GDPR is an EU regulation meant to harmonize the patchwork of data protection laws in Europe. A Partnership of Responsibilities for GDPR. When it comes to GDPR compliance, Workday and our customers both have responsibilities: our customers as data controllers, and Workday as a data processor. To quote from the official GDPR FAQ page, “A controller is the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.” Below we provide some highlights about the protections Workday provides in its role as the data processor, and the tools we offer our customers to meet their responsibilities as data controllers. Cross-border data flows: The GDPR continues to allow the flow of personal data across country borders, and includes provisions ensuring existing data transfer mechanisms remain valid going forward. In addition to Workday’s own compliance obligations under the GDPR as a processor of customers’ personal data, Workday also assists our customers in meeting their obligations under the GDPR in a variety of ways. The EU will implement the most dramatic law of its kind governing data in May. The General Data Protection Regulation will strengthen and unify data protection for all individuals within the EU. When it becomes effective, it will give control of personal data back to citizens and residents and simplify the regulatory environment for international business by unifying the regulation within the EU, replacing a data protection directive from 1995. The GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents. There are some truly revolutionary aspects of the GDPR- both from the perspective of the data user and the data provider or processor. The biggest change to the regulatory landscape of data privacy associated with the GDPR is its extended jurisdiction-it applies to all companies processing the personal data of individuals residing in the EU, regardless of the company’s location. The GDPR will also apply to the processing of personal data in the EU by a controller or processor not established in the EU, where the activities relate to offering goods or services to EU citizens and the monitoring of behavior that takes place within the EU. Non-EU businesses processing the data of EU citizens must also appoint a representative in the EU. The conditions for consent have been strengthened under the regime. Part of the expanded rights of data subjects outlined by the GDPR will also be their right to obtain from the data ‘controller’ confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose. Also known as Data Erasure, the “Right to be forgotten” entitles the data subject to have the data controller erase his or her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The EU’s new General Data Protection Regulation is a set of rules that give consumers rights about how their data is stored, used, and deleted. With the May deadline for compliance edging ever closer, a vast majority of organizations believe that compliance with the upcoming General Data Protection Regulation would be difficult to achieve.

GDPR Awareness Coalition

DUBLIN, IRELAND – A survey of 200+ companies at TechConnect Live conducted by DataSolutions on behalf of the GDPR Awareness Coalition has found that 71% of SME’s in Ireland do not view the need to be GDPR compliant by next May as a top business priority despite an increase in awareness. When asked “How high of a priority is GDPR compliance to your company”, 26% of respondents responded with “Not a priority” with a further 45% indicating that it was “Only one of a number of priorities.” 53% of companies surveyed indicated that they had yet to begin the compliance process with a tiny minority of 2% indicating that they were GDPR complaint already. “What we’re seeing here is really worrying. With only one year to go until the introduction of GDPR it’s clear that Irish businesses are still struggling to understand the significance of GDPR and the impact it will have on their day to day business operations.” Dr. Dennis Jennings, Chairperson of the GDPR Awareness Coalition said. The survey also found that general awareness of GDPR is increasing with only 16% of respondents responding that they had not heard of GDPR while 67% of respondents said they were either familiar or had expert knowledge. “The only comforting element to this survey is that while general awareness of GDPR is increasing, there is still a real need to raise awareness of the impact GDPR will have on the SME sector to spark movement towards compliance. Based on what we’re seeing, it looks like businesses are keen to be GDPR compliant but don’t know what full GDPR compliance looks like”. 200 companies responded as part of the GDPR Awareness Coalition’s survey which took place between 9am and 12.30pm at TechConnect Live in the RDS, Dublin on the 31 May. Of those surveyed 62% identified as SME, 21% as large and 17% as corporate. The GDPR Awareness Coalition is a not-for-profit, fixed-term initiative designed to assist in raising awareness of the data privacy obligations for companies resulting from the implementation of the GDPR. The establishment of this initiative was motivated by the growing concern that GDPR awareness throughout Ireland is unbalanced among enterprise, construction and retail sectors. In response to this issue, the GDPR Awareness Coalition has assembled an expanding list of more than 50 engaged Coalition Partners that include GDPR experts, vendors, and legal, fiscal, event and general collaborators, and business associations. “With many of the world’s leading companies calling Ireland home for their operations in Europe, it was a concern to us when we read some of the recent reports that Ireland had a below-average awareness of the GDPR in comparison to other EU countries. We felt if we could help raise this awareness, we should.” To help further this initiative, Dr. Jennings will join Mr. Connolly as Co-chair to the GDPR Awareness Coalition. “I am very pleased to have been invited to be the Co-chair of the GDPR Awareness Coalition, and I look forward to contributing to the effort.” The GDPR Awareness Coalition will culminate in a conference / workshop for all interested parties, collocated with the TechConnect Live event in Dublin on 31 May, 2017. The General Data Protection Regulation Awareness Coalition is a not-for-profit, fixed-term initiative designed to assist in raising awareness of the data privacy obligations for companies resulting from the implementation of the GDPR. The GDPR is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union. The establishment of this initiative was motivated by the growing concern that GDPR awareness throughout Ireland is unbalanced among enterprise, construction and retail sectors. Coalition Partners include GDPR experts, as well as vendors, legal, fiscal, event and general collaborators.

What is GDPR? Everything you need to know

More than half of EU businesses don’t know what the impact of GDPR on their organisation will be. 17/11 – NEWS – Microsoft previews new GDPR compliance tool – GDPR Compliance Dashboard will allow Microsoft cloud customers to make sure they are equipped for the new legislation…. 16/11 – NEWS – Only a fifth of UK large businesses are ready for GDPR – Survey reveals many big companies are nowhere near ready for the May 25th deadline…. 14/11 – FEATURE – José Alberto Ruiz/Cornerstone OnDemand – GDPR: Where should HR start? – When the new regulation comes into effect, the HR department will be responsible for the personal data it collects on applicants as well as current employees. 14/11 – NEWS – GDPR could hit UK law firms hard – Majority of firms say they are unprepared for the effects of GDPR, but also need to up cybersecurity protection, CenturyLink study finds…. 09/11 – NEWS – IBM gives clients new control over data as GDPR approaches – Company boosts data control processes at its Frankfurt data centre…. 08/11 – FEATURE – Louise Boyd/Me Learning – E-Learning company helps UK businesses prepare for GDPR – Is your organisation ready for the upcoming regulation? Businesses will have to listen…. 07/07 – FEATURE: Mark Sangster/eSentire – The GDPR is coming: Are you prepared? – GDPR is a sweeping new EU privacy regulation that has extensive implications for U.S. firms too. 16/06 – FEATURE: Brian Rutledge/Spanning – The global impact of GDPR: Prepare now, avoid potential litigation & fines later – GDPR impact on business is proving to be one of the most talked about global regulations to-date, related to data governance and data privacy…. 15/06 – FEATURE: John Morrell, Datameer – Governing big data analytics for GDPR compliance – GDPR changes the way entire organisations interact with personal data, and thus big data analytics. What is GDPR? The General Data Protection Regulation, or GDPR, is one of the most important pieces of legislation ever passed for IT departments. Under GDPR, companies will also have to be more up front when collecting the personal data of customers – meaning consent will need to be explicitly given, as well as the gatherers needing to detail the exact purpose that this data will be used for. GDPR stands for General Data Protection Regulation, also officially known as EU Regulation 2016/679. Because data protection concerns stretch across national boundaries, the introduction of GDPR seeks not just to regulate data within the EU. It seeks to extend EU data protection law to any organisation holding information on EU citizens, even if that organisation is based outside the EU. For businesses, GDPR means keeping a much tighter rein on the data they possess, and should also improve security awareness and protection levels for many. Who does GDPR apply to? Is my business affected by GDPR? Short answer – yes. If you are a business that deals with online data in any way, you will need to comply with GDPR before next year’s deadline. For the moment, the EU states that, if you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR irrespective as to whether or not the UK retains the GDPR post-Brexit. If you are based outside of the European Union, your business could well still need to comply with GDPR. The EU states that the rules will apply to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. EU GDPR website – a central repository for everything you need to know about GDPR. – EU GDPR FAQs – answers to some of the most pressing GDPR questions. ICO overview of GDPR – guidance for UK businesses on what GDPR is.

RSA Unveils New GDPR Compliance Offerings

Europe’s General Data Protection Regulation is, by name, just another information security compliance regulation requiring that organizations protect personal data from being stolen by hackers. The emphasis on data protection has changed: it is traditionally designed to protect data from criminals; but this regulation is designed to protect data for the user. They must explicitly agree to the collection of data for a specific purpose; and they can withdraw consent and require companies to delete that data. Organizations will need to be able to prove user agreement to the collection of personal data; and must be able to demonstrate deletion of that data after demand. “I think the bigger part of GDPR is to do with process, and the process burden is going to be huge. One of the big new things is the whole personal data lifecycle – from getting consent and proving user consent, to processing user data and then deleting that data after processing it solely for the purpose for which it was collected; and being able to delete it at any time on the users’ request. Although some organizations already do that, a lot of companies don’t do it very well, and don’t have the evidence to prove they are doing it. GDPR is very much evidence based.” It is against the background of GDPR being as much about data governance as it is about information security that RSA has today beefed up its Archer governance suite specifically to aid compliance with the governance side – and more – of GDPR. “Ultimately,” it says in a statement released today, “GDPR is not just a Governance, Risk and Compliance issue. GDPR spans the full enterprise and forces companies to adopt a healthier privacy and security risk posture in four critical areas: Risk Assessment, Breach Readiness, Data Governance, and Compliance Management.” It is in these four areas that Archer, combined with RSA NetWitness and the RSA Data Risk and Security Practice can aid GDPR compliance. On risk assessment, RSA suggests that Archer’s components will help accelerate the identification of the linkage between risks and internal controls, potentially reduce the GDPR compliance gaps and improve risk mitigation strategies. On breach response, GDPR requires that regulators are notified of a breach generally within 72 hours of the company becoming aware of the breach. RSA offers its SecurID suite and Data Risk and Security Practice service to cover the mainstream governance side of GDPR. Compliance is no longer a destination, but a continuing state, it suggests. While under earlier European laws, companies needed only worry about compliance if they were breached, with GDPR they can be found non-compliant in data governance areas at any time. This suite of services helps an organization optimize a GRC program; put in place the processes to enable a prompt response to cyber incidents; prepare to meet the new 72-hour notification requirements; and plan and implement GDPR-compliant data access programs. The term ‘breach’ is given a wider than usual scope under GDPR. “A breach in GDPR could be lack of availability,” Knowles told SecurityWeek; “So a successful DDoS – which may not usually be classed as a breach – could be classed as a breach in GDPR terms if users lose access to their data.” Firstly the victim gets all the disruption and cost of the ransomware, but secondly it is potentially and automatically in breach of GDPR. “If you can show that you are doing the right things, that you have the right controls in place,” says Knowles, “Then the regulators are more likely to be lenient from the GDPR perspective. But on the other hand, if the ransomware could have been stopped had you applied the correct patches, the regulator might not be so lenient.” GDPR compliance is a complex mix of security technology to protect the data, tied together with governance processes to manage the personal data lifecycle, backed up by the availability of continuous evidence to prove that you are doing the right things at all times.

News – General Data Protection Regulation

Cloud Security Alliance Issues New Code of Conduct for GDPR Compliance Significant updates provide actionable guidance to reflect new European personal protection obligations. Edinburgh, Scotland – November 21, 2017 – The Cloud Security Alliance, the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today released the CSA Code of Conduct for GDPR Compliance, which provides cloud service providers, cloud customers, and potential customers with much-needed guidance in order to comply with the new obligations stemming from the European General Data Protection Regulation. As part of this release, the CSA has also launched the CSA GDPR Resource Center, a new, community-driven website with tools and resources to help educate cloud service providers and enterprises on the new European data protection regulation. “Companies worldwide are struggling to keep pace with shifting regulations affecting personal data protection. The Privacy Level Agreement Working Group realized it was critical for cloud providers to have guidance that would enable them to achieve compliance with EU personal data protection legislation,” said Francoise Gilbert, CSA Lead Outside Counsel and PLA Working Group co-chair. “With the introduction of GDPR, data protection compliance becomes increasingly risk-based. Data controllers and processors are accountable for determining and implementing within their organizations appropriate protection levels for the personal data they process,” noted Paolo Balboni, European ICT, privacy and data protection lawyer, and co-chair of the Privacy Level Agreement Working Group. “In this scenario, the CSA Code of Conduct for GDPR Compliance is of fundamental importance as it gives guidance for legal compliance and the necessary transparency on the level of data protection offered by the CSPs.”. Fair and transparent processing of personal data; Information provided to the public and to data subjects GDPR); Exercise of data subjects’ rights; Measures and procedures referred to in Articles 24 and 25 GDPR and the measures to ensure security of processing referred to in Article 32 GDPR; Notification of personal data breaches to supervisory authorities GDPR) and the communication of such personal data breaches to data subjects; and. The CSA Code of Conduct for GDPR Compliance contains mechanisms that enable the body referred to in Article 41 GDPR to carry out mandatory compliance monitoring by the controllers or processors who undertake to apply it, without prejudice to the tasks and powers of competent supervisory authorities pursuant to Article 55 or 56 of GDPR. “The CSA Code of Conduct for GDPR Compliance offers cloud customers a tool to evaluate the level of personal data protection offered by different CSPs and make informed decisions on how they will secure that data,” said Daniele Catteddu, Chief Technology Officer, CSA. “We are extremely proud of the work that went into this latest iteration.” The CSA PLA Working Group was formed in 2012 to help transpose the Art. 29 WP and EU National Data Protection Regulators’ recommendations on cloud computing into an easy-to-use outline for CSPs to follow when disclosing personal data-handling practices. The scope and objective of the PLA initiative was previously presented to the European Parliament as part of discussions on the potential effect of the proposed General Data Protection Regulation on cloud computing. The PLA Working Group has been engaged in defining a structured method for communicating the level of privacy that a CSP agrees to maintain. The PLA Working Group is comprised of independent privacy and data protection subject matter experts, privacy officers, and representatives from data protection authorities. The CSA Code of Conduct for GDPR Compliance is free and available at: https://gdpr. For access to the CSA GDPR Resource Center, visit https://gdpr.